IMPORTANT Website terms of use and cookie statement

Cover your Cyber Essentials

Identify the level of cyber protection you need.

25 May 2017

The recent global ransomware attacks have thrown into sharp relief the vulnerability of even major organisations to malicious cyber attacks. What then of the construction industry?

The UK construction industry has not yet suffered any known high profile cyber attacks, but IT consultants think it is rather a matter of when, not if.


It’s only a matter of time before hacking activity percolates through building-related IT systems, consultants warn.

‘In my view, it will be just too enticing and only a matter of time before hacking activity percolates through built environment systems,’ says Steve Race, BIM consultant and contributor to the Institution of Engineering and Technology’s (IET) original 'Code of Practice for Cyber Resilience in the Built Environment'.

Meanwhile, opportunities for hacking into buildings-related IT systems continue to multiply.

Every remotely accessible building management system has its own IP address, just like every internet connected PC or laptop. Commercially sensitive data is routinely stored in the Cloud and BIM is based on the principle of shared access for every member of the supply chain, from multi-disciplinary global consultant to sole practitioner.

There are different levels of possible threat, from teenage hacker mischief to organised criminal activities.

Race highlights possible scenarios: Accessing of contract documents to redirect supplies; adding or subtracting a zero here or there in a specification or costing; changing “shall” to “shall not” in the terms of appointment. Then there is the possibility of criminal elements intercepting design plans for prisons, pharmacy departments in hospitals, or infrastructure systems.

Architects are already required to address the issue of data confidentiality in the Architects Code of Conduct. Clause 4.2 says practitioners should ensure that adequate security is in place to safeguard paper and electronic records for clients.

To Race, there are separate issues at play: the need to fulfil one’s professional obligations, and the need to protect data as party to a contract.

If facing a charge of professional negligence, it should be sufficient to have taken what could be regarded as ‘reasonable steps’, such as having up-to-date anti-virus software, network firewalls in place, password protected access to data, and data regularly backed up and kept offline.

Race recommends that architects should take the government’s Cyber Essentials self-assessment questionnaire as a first step to identifying the proportionate level of cyber protection they should be maintaining.

Cyber Essentials is a government-backed, industry-supported scheme to help organisations protect themselves against common threats. Its free guidance helps organisations put essential security controls in place.

‘Practice principals need to start thinking about, and be aware of, the trends, and where the liabilities will lie. They will need people in the practice who at least understand the systems being used and how they are controlled and accessed,’ says Race.

At a more sophisticated level he hopes to see the industry’s heavyweights hiring their own ‘resilience engineer’ to take charge of cyber security.

'Thanks to Steve Race, independent BIM Consultant and lecturer on the MSc BIM course at Westminster University'.

by Neal Morris

This is a ‘Practice News’ post edited by the RIBA Practice team. The team would like to hear your feedback and ideas for Practice News: practice@riba.org

Latest updates

keyboard_arrow_up To top